[ OWASP - Montréal ]Vrute force HTML form password guessing

Philippe Blondin blondin.philippe at gmail.com
Tue Nov 25 23:10:48 EST 2008


Thanks for your quick answer Laurent :P

This is actually the first post on Owasp Montreal group. Just wanted to 
drop a line to say that i am very happy to see some activity here. I 
hope to see a lot more in the future..

I also have a question in mind: Is this mailing list should be either in 
French or English or both?

Philippe Blondin

Benoit Guerette wrote:
> That was too obvious ;) I didn't find the replay tool, but I can use 
> the fuzzer and provide a password.txt file as a source, so it will do 
> brute force password guessing
>
> Thanks!
>
> WebScarab is doing very well with HTTPS, but I have trouble with burp. 
> Paros is great, but it use a homemade user-agent so my web application 
> firewall drop all requests
>
>
>
> I looked in the mailing list history, seems we are the first to post?
>
> On Tue, Nov 25, 2008 at 10:15 PM, Laurent Desaulniers 
> <laurent.desaulniers at gmail.com <mailto:laurent.desaulniers at gmail.com>> 
> wrote:
>
>     Hello,
>
>       I am very happy to see activity on the Owasp Montreal group. To
>     answer your question, there are many options. You can do
>     bruteforce with webscarab, using the post replay tool (under the
>     advanced view). Of course, burp proxy and paros will do the same.
>     If you look for something more automated; burp proxy 2.0 will be
>     able to brute force automatically.
>
>     I am also told that websleuth may be able to do it to
>     (http://sandsprite.com/Sleuth/). W3af
>     (http://w3af.sourceforge.net/) is also able to brute force http
>     forms, (either use formauthBrute or SpiderMan)
>
>
>     I hope it answers your question.
>
>
>     Laurent Desaulniers
>
>
>
>     On Tue, Nov 25, 2008 at 8:22 PM, Benoit Guerette
>     <benoit.guerette at gmail.com <mailto:benoit.guerette at gmail.com>> wrote:
>
>         Hi!
>
>         I am using WebScarab for a lot of injection tests. Is there
>         any good tool for brute force password guessing in html forms?
>         It do not seems to be an option on WebScarab.
>
>         Most antivirus don't like brutus, and I have trouble running
>         Burp Suite with ssl.
>
>         Thanks
>
>         -- 
>         http://www.linkedin.com/in/benoitguerette
>
>         _______________________________________________
>         Owasp-montreal mailing list
>         Owasp-montreal at lists.owasp.org
>         <mailto:Owasp-montreal at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-montreal
>
>
>
>
>     -- 
>     *CONFIDENTIALITÉ* L'information apparaissant dans ce message
>     électronique est de nature légalement privilégiée et
>     confidentielle. Si ce message vous est parvenu par erreur et que
>     vous n'êtes pas le destinataire visé, vous êtes par les présentes
>     avisé que tout usage, copie ou distribution de ce message est
>     strictement interdit. Vous êtes donc prié de nous informer
>     immédiatement de cette erreur et de détruire ce message.
>
>
>
>     *CONFIDENTIALITY* The information in this message is legally
>     privileged and confidential. In the event of a transmission error
>     and if you are not the individual or entity mentioned above, you
>     are hereby advised that any use, copying or reproduction of this
>     document is strictly forbidden. Please advise us of this error and
>     destroy this message.
>
>
>
>
> -- 
> http://www.linkedin.com/in/benoitguerette
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-montreal mailing list
> Owasp-montreal at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-montreal
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081125/db55a626/attachment.html 


More information about the Owasp-montreal mailing list